misp-circl-feed/feeds/circl/misp/f2049d65-5315-4c37-9bbb-900c9b851204.json

284 lines
26 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "1",
"date": "2023-01-19",
"extends_uuid": "",
"info": "OSINT - CircleCI incident report for January 4, 2023 security incident",
"publish_timestamp": "1674116481",
"published": true,
"threat_level_id": "4",
"timestamp": "1674116421",
"uuid": "f2049d65-5315-4c37-9bbb-900c9b851204",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:clear",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Malicious files to search for and remove:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116099",
"to_ids": true,
"type": "sha256",
"uuid": "5eab642e-d3a5-4170-9aff-770721ce1f01",
"value": "8913e38592228adc067d82f66c150d87004ec946e579d4a00c53b61444ff35bf"
},
{
"category": "Payload delivery",
"comment": "Malicious files to search for and remove:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116087",
"to_ids": true,
"type": "filename",
"uuid": "b0894935-86e3-49fe-99ee-767f8c551d84",
"value": "/private/tmp/.svx856.log"
},
{
"category": "Payload delivery",
"comment": "Malicious files to search for and remove:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116166",
"to_ids": true,
"type": "filename",
"uuid": "9c1bc6dc-e391-46f5-bf31-dc501e06ddfb",
"value": "/private/tmp/.ptslog"
},
{
"category": "Artifacts dropped",
"comment": "Review GitHub audit log files for unexpected commands such as:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116193",
"to_ids": true,
"type": "regkey",
"uuid": "9ad02845-5cfb-4494-89b4-1c3795e3d5bb",
"value": "repo.download_zip"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "fc6531ee-17f5-4f4e-94d8-25b1b355b14f",
"value": "178.249.214.10"
},
{
"category": "Payload delivery",
"comment": "Malicious files to search for and remove:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116173",
"to_ids": true,
"type": "filename",
"uuid": "4f008530-bf04-458c-98fc-5b45a6ae66db",
"value": "PTX-Player.dmg"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "268efcdc-a235-4ef2-a421-b66d0b9b0e7f",
"value": "178.249.214.25"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "41b9f351-1bb3-4d8f-af7c-c018c050702b",
"value": "111.90.149.55"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "4d7b64e3-6e7c-4275-b082-8b80534015c9",
"value": "188.68.229.52"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "af9d8894-d05a-46d1-bfe6-8b478b30371a",
"value": "72.18.132.58"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "89f779a8-ac43-46cf-bf35-adae33af9936",
"value": "89.36.78.135"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "486b2d2f-12bd-4741-ae46-5838f798a10a",
"value": "89.36.78.109"
},
{
"category": "Payload delivery",
"comment": "Block the following domain",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116053",
"to_ids": true,
"type": "domain",
"uuid": "31150471-744f-47e5-9da9-9eceaac53ca4",
"value": "potrax.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674115917",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b6801c1-e72e-4841-b908-fefce6cdf8cf",
"value": "89.36.78.75"
},
{
"category": "Payload delivery",
"comment": "Malicious files to search for and remove:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1674116076",
"to_ids": true,
"type": "domain",
"uuid": "413ee0ee-1509-4d44-bddd-9bde85e92562",
"value": "ptx.app"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1674115825",
"uuid": "852a38c1-d1b2-43c3-8781-23b8de71e1a1",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1674115825",
"to_ids": false,
"type": "link",
"uuid": "c342b42b-b831-4dd3-b01b-f496ec048e8b",
"value": "https://circleci.com/blog/jan-4-2023-incident-report/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1674115825",
"to_ids": false,
"type": "text",
"uuid": "2a8dc7bd-ec90-49b3-bfda-2117bd548733",
"value": "On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we\u2019ve learned, and what our plans are to continuously improve our security posture for the future.\r\n\r\nWe would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work. We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores. Additionally, we want to thank our customers and our community for your patience while we have been conducting a thorough investigation. In aiming for responsible disclosure, we have done our best to balance speed in sharing information with maintaining the integrity of our investigation."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1674115825",
"to_ids": false,
"type": "text",
"uuid": "7d775b15-8637-4e98-a4bc-bd74a19ce591",
"value": "Report"
}
]
}
2023-05-19 09:05:37 +00:00
],
"EventReport": [
{
"name": "Report from - https://circleci.com/blog/jan-4-2023-incident-report/ (1674115837)",
"content": "Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Twitter\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"LinkedIn\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Facebook\") Share on @[tag](misp-galaxy:amitt-misinformation-pattern=\"Reddit\") >Share on Hacker News \r\n \r\n \r\nOn January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we\u2019ve learned, and what our plans are to continuously improve our security posture for the future.\r\n\r\n We would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work. We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores. Additionally, we want to thank our customers and our community for your patience while we have been conducting a thorough investigation. In aiming for responsible disclosure, we have d@[tag](one) our best to balance speed in sharing information with maintaining the integrity of our investigation.\r\n\r\n # This report will cover@[tag](:)\r\n\r\n \r\n * What happened?\r\n * How do we know this attack vector is closed and it\u2019s safe to build?\r\n * Communication and support for customers\r\n * How do I know if I was impacted?\r\n * Details that may help your team with internal investigations\r\n * What we learned from this incident and what we will do next\r\n * A note on employee responsibility vs. systems safeguards\r\n * Security best practices\r\n * Closing thoughts\r\n \r\n## What happened?\r\n\r\n *All dates and times are reported in UTC, unless otherwise noted.*\r\n\r\n On December 29, @[tag](2022), we were alerted to @[tag](suspicious) GitHub OAuth activity by @[tag](one) of our customers. This notification kicked off a deeper review by CircleCI\u2019s security team with GitHub.\r\n\r\n On December 30, @[tag](2022), we learned that this customer\u2019s GitHub OAuth token had been compromised by an unauthorized third party. Although that customer was able to quickly resolve the issue, out of an abundance of caution, on December 31, @[tag](2022), we proactively initiated the process of rotating all GitHub OAuth tokens on behalf of our customers. Despite working with GitHub to increase API rate limits, the rotation process took time. While it was not clear at this point whether other customers were impacted, we continued to expand the scope of our analysis.\r\n\r\n By January 4, 2023, our internal investigation had determined the scope of the intrusion by the unauthorized third party and the entry path of the attack. To date, we have learned that an unauthorized third party leveraged malware deployed to a CircleCI engineer\u2019s laptop in order to steal a valid, 2FA-backed SSO session. This machine was compromised on December 16, @[tag](2022). The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.\r\n\r\n Because the targeted employee had privileges to generate production access tokens as part of the employee\u2019s regular duties, the unauthorized third party was able to access and exfiltrate @[tag](data) from a subset of @[tag](data)bases and stores, including customer environment variables, tokens, and keys. We have reason to believe that the unauthorized third party engaged in reconnaissance activity on December 19, @[tag](2022). On December 22, @[tag](2022), exfiltration occurred, and that is our last record of unauthorized activity in our production systems. Though all the @[tag](data) exfiltrated was @[tag](encrypted) at rest, the third party @[tag](extracted) encryption keys from a running process, enabling them to potentially access the @[tag](encrypted) @[tag](data).\r\n\r\n While we are confident in the
"id": "144",
"event_id": "145564",
"timestamp": "1674115945",
"uuid": "b2ec2f37-9bd6-4b0c-9c78-b6fef5b99260",
"deleted": false
}
2023-04-21 13:25:09 +00:00
]
}
}